Ubuntu Upgrade With Another Security Patches With Linux Kernel

Ubuntu security team has released patches of several security vulnerabilities in its various versions. You need to update now.

How to Update UBUNTU?

For Desktop

By default, users are notified daily for security updates and weekly for non-security updates. How Ubuntu alerts you as well as configuring your system to install updates automatically can be setup within Update Manager.

You can access Update Manager anytime by pressing ‘Alt+F2’, entering ‘update-manager’ and pressing Enter. Its settings can be adjusted by pressing the ‘Settings’ button.

Once Update Manager is open, you can review and select pending updates as well as check for new updates. Simply press the ‘Install Updates’ button to upgrade the selected packages to the updated version.

For Server

If the update-notifier-common package is installed, Ubuntu will alert you about pending updates via the message of the day (motd) upon console or remote login.

After logging in, you can check for and apply new updates with:

$ sudo apt-get update
$ sudo apt-get dist-upgrade

When performing an update, first review what apt is going to do, then confirm that you want to apply the updates (this is particularly true when running the development release).

If you would prefer to have updates applied automatically, make sure the unattended-upgrades package is installed, then run ‘sudo dpkg-reconfigure unattended-upgrades’.

Please note that updates may restart services on your server, so this may not be appropriate for all environments.

Following Ubuntu Linux vulnerabilities have been fixed.

Linux kernel (Trusty HWE) vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

It was discovered that the CIFS client implementation in the Linux kernel did not properly handle setup negotiation during session recovery, leading to a NULL pointer exception. An attacker could use this to create a malicious CIFS server that caused a denial of service (client system crash). (CVE-2018-1066)

Linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 14.04 LTS

Summary Several security issues were fixed in the Linux kernel.

Software Description Linux – Linux kernel

Details It was discovered that the CIFS client implementation in the Linux kernel did not properly handle setup negotiation during session recovery, leading to a NULL pointer exception. An attacker could use this to create a malicious CIFS server that caused a denial of service (client system crash). (CVE-2018-1066)

It was discovered that the socket implementation in the Linux kernel contained a type confusion error that could lead to memory corruption.

It was discovered that a race condition existed in the vsock address family implementation of the Linux kernel that could lead to a use-after-free condition. A local attacker in a guest virtual machine could use this to expose sensitive information (host machine kernel memory). (CVE-2018-14625)

It was discovered that the debug interface for the Linux kernel’s HID subsystem did not properly perform bounds checking in some situations. An attacker with access to debugfs could use this to cause a denial of service or possibly gain additional privileges. (CVE-2018-9516)

Linux kernel (Xenial HWE) vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

The security researchers discovered that the ext4 file system implementation in the Linux kernel could possibly perform an out of bounds write when updating the journal for an inline file. An attacker could use this to construct a malicious ext4 image that, when mounted, could cause a denial of service (system crash). (CVE-2018-10883)

The cleancache subsystem of the Linux kernel did not properly initialize new files in some situations. A local attacker could use this to expose sensitive information. (CVE-2018-16862)

The USB subsystem in the Linux kernel did not properly handle size checks when handling an extra USB descriptor. A physically proximate attacker could use this to cause a denial of service (system crash). (CVE-2018-20169)